How I became a password cracker

Cracking passwords is officially a "script kiddie" activity now.

At the beginning of a sunny Monday morning earlier this month, I had never cracked a password. By the end of the day, I had cracked 8,000. Even though I knew password cracking was easy, I didn't know it was ridiculously easy—well, ridiculously easy once I overcame the urge to bash my laptop with a sledgehammer and finally figured out what I was doing.

My journey into the Dark-ish Side began during a chat with our security editor, Dan Goodin, who remarked in an offhand fashion that cracking passwords was approaching entry-level "script kiddie stuff." This got me thinking, because—though I understand password cracking conceptually—I can't hack my way out of the proverbial paper bag. I'm the very definition of a "script kiddie," someone who needs the simplified and automated tools created by others to mount attacks that he couldn't manage if left to his own devices. Sure, in a moment of poor decision-making in college, I once logged into port 25 of our school's unguarded e-mail server and faked a prank message to another student—but that was the extent of my black hat activities. If cracking passwords were truly a script kiddie activity, I was perfectly placed to test that assertion.

It sounded like an interesting challenge. Could I, using only free tools and the resources of the Internet, successfully:

Find a set of passwords to crack

Find a password cracker

Find a set of high-quality wordlists and

Get them all running on commodity laptop hardware in order to

Successfully crack at least one password

In less than a day of work?

I could. And I walked away from the experiment with a visceral sense of password fragility. Watching your own password fall in less than a second is the sort of online security lesson everyone should learn at least once—and it provides a free education in how to build a better password.

Enlarge/ My not-particularly-l33t cracking setup: a 2012 Core i5 MacBook Air and a Terminal window. The five columns of text in the Terminal window are a small subset of the hashes I cracked by day's end.

“Password recovery”

And so, with a cup of tea steaming on my desk, my e-mail client closed, and some Arvo Pärt playing through my headphone, I began my experiment. First I would need a list of passwords to crack. Where would I possibly find one?

Trick question. This is the Internet, so such material is practically lying around, like a shiny coin in the gutter, just begging you to reach down and pick it up. Password breaches are legion, and entire forums exist for the sole purpose of sharing the breached information and asking for assistance in cracking it.

Dan suggested that, in the interest of helping me get up to speed with password cracking, I start with one particular easy-to-use forum and that I begin with "unsalted" MD5-hashed passwords, which are straightforward to crack. And then he left me to my own devices. I picked a 15,000-password file called MD5.txt, downloaded it, and moved on to picking a password cracker.

Password cracking isn't done by trying to log in to, say, a bank's website millions of times; websites generally don't allow many wrong guesses, and the process would be unbearably slow even if it were possible. The cracks always take place offline after people obtain long lists of "hashed" passwords, often through hacking (but sometimes through legal means such as a security audit or when a business user forgets the password he used to encrypt an important document).

Hashing involves taking each user's password and running it through a one-way mathematical function, which generates a unique string of numbers and letters called the hash. Hashing makes it difficult for an attacker to move from hash back to password, and it therefore allows websites to safely (or "safely," in many cases) store passwords without simply keeping a plain list of them. When a user enters a password online in an attempt to log in to some service, the system hashes the password and compares it to the user's stored, pre-hashed password; if the two are an exact match, the user has entered the correct password.

For instance, hashing the password "arstechnica" with the MD5 algorithm produces the hash c915e95033e8c69ada58eb784a98b2ed. Even minor changes to the initial password produce completely different results; "ArsTechnica" (with two uppercase letters) becomes 1d9a3f8172b01328de5acba20563408e after hashing. Nothing about that second hash suggests that I am "close" to finding the right answer; password guesses are either exactly right or fail completely.

Prominent password crackers with names like John the Ripper and Hashcat work on the same principle, but they automate the process of generating attempted passwords and can hash billions of guesses a minute. Though I was aware of these tools, I had never used one of them; the only concrete information I had was that Hashcat was blindingly fast. This sounded perfect for my needs, because I was determined to crack passwords using only a pair of commodity laptops I had on hand—a year-old Core i5 MacBook Air and an ancient Core 2 Duo Dell machine running Windows. After all, I was a script kiddie—why would I have access to anything more?

I started on the MacBook Air, which meant that I had got to use the 64-bit, command-line version of Hashcat rather than the Windows graphical interface. Now, far be it from me to sling mud at command line lovers, who like to tell me endless stories about how they can pipe sed through awk and then grep the whole thing about 50 times more quickly than those poor schlubs clicking their mice on pretty icons and menus. I believe them, but I still prefer a GUI when trying to figure out the many options of a complex new program—and Hashcat certainly fit the bill.

Still, this was for science, so I downloaded Hashcat and jumped into Terminal. Hashcat doesn't include a manual, and I found no obvious tutorial (the program does have a wiki, as I learned later). Hashcat's own help output isn't the model of clarity one might hope for, but the basics were clear enough. I had to instruct the program which attack method to use, then I had to tell it which algorithm to use for hashing, and then I had to point it at my MD5.txt file of hashes. I could also assign "rules," and there were quite a few options to do with creating masks. Oh, and wordlists—they were an important part of the process, too. Without a GUI and without much in the way of instruction, getting Hashcat to run took the best part of a frustrating hour spent tweaking lines like this:

./hashcat-cli64.app MD5.txt -a 3 -m 0 -r perfect.rule

The above line was my attempt to run Hashcat against my MD5.txt collection of hashes using attack mode 3 ("brute force") and hashing method 0 (MD5) while applying the "perfect.rule" variations. This turned out to be badly misguided. For one thing, as I later learned, I had managed to parse the syntax of the command line incorrectly and had the "MD5.txt" entry in the wrong spot. And brute force attacks don't accept rules, which only operate on wordlists—though they do require a host of other options involving masks and minimum/maximum password lengths.

This was a bit much to muddle through with command-line switches. I embraced my full script kiddie-ness and switched to the Windows laptop, where I installed Hashcat and its separate graphical front end. With all options accessible by checkboxes and dropdowns, I could both see what I needed to configure and could do so without generating the proper command line syntax myself. Now, I was gonna crack some hashes!

The first hit

I began with attack mode 0 ("straight"), which takes text entries from a wordlist file, hashes them, and tries to match them against the password hashes. This failed until I realized that Hashcat came with no built-in worldlist of any kind (John the Ripper does come with a default 4.1 million entry wordlist); nothing was going to happen unless I went out and found one. Fortunately, I knew from reading Dan's 2012 feature on password cracking that the biggest, baddest wordlist out there had come from a hacked gaming company called RockYou. In 2009, RockYou lost a list of 14.5 million unique passwords to hackers.

As Dan put it in his piece, "In the RockYou aftermath, everything changed. Gone were word lists compiled from Webster's and other dictionaries that were then modified in hopes of mimicking the words people actually used to access their e-mail and other online services. In their place went a single collection of letters, numbers, and symbols—including everything from pet names to cartoon characters—that would seed future password attacks." Forget speculation—RockYou gave us a list of actual passwords picked by actual people.

Finding the RockYou file was the work of three minutes. I pointed Hashcat to the file and let it rip against my 15,000 hashes. It ran—and cracked nothing at all.

At this point, sick of trying to puzzle out best practices by myself, I looked online for examples of people putting Hashcat through its paces, and so ended up reading a post by Robert David Graham of Errata Security. In 2012, Graham was attempting to crack some of the 6.5 million hashes released as part of an infamous hack of social network LinkedIn, he was using Hashcat to do it, and he was documenting the entire process on his corporate blog. Bingo.

He began by trying the same first step I had tried—running the complete RockYou password list against the 6.5 million hashes—so I knew I had been on the right track. As in my attempt, Graham's straightforward dictionary attack failed to produce many results, identifying only 93 passwords. Whoever had hacked LinkedIn, it appeared, had already run such common attacks against the collection of hashes and had removed those that were simple to find; everything that was left presumably would take more work to uncover.

In Mac OS X Lion sudo is enabled by default as far as I know. It certainly is on my computer running Lion. When they say that root is disabled they mean that it cannot be used as a login account all users in the wheel group can still use sudo to gain superuser access. Su on the other hand does not work because there is no root password set.

Now, far be it from me to sling mud at command line lovers, who like to tell me endless stories about how they can pipe sed through awk and then grep the whole thing about 50 times more quickly than those poor schlubs clicking their mice on pretty icons and menus. I believe them, but I still prefer a GUI when trying to figure out the many options of a complex new program—and Hashcat certainly fit the bill.

Pretty much everyone prefers a GUI.

The problem is there are a million times in my ordinary workday when what you want to do simply isn't possible at all in a GUI.

And if you're doing some of your work in the command line anyway, then why not do most of it there?

I haven't had time to read all of it yet (I will though!) but you shouldn't get too unsettled.

Anybody who is using un-hashed MD5 passwords these days is an idiot. You have nothing to worry about unless you are entering your password into websites written by incompetent developers. In that case... make damn sure you don't use that password anywhere else.

(if you do use the same password for multiple websites, then this definitely should be unsettling... and I hope you stop doing it right now)

Real credit is due to Ars for raising awareness about the vulnerabilities of passwords to common crackers. More importantly, it's been done is a layman's language that's allowed me to forward it to my friends and family. Now my mom knows that the name of some obscure Greek god+123 is not a good password.

Now, if only Hotmail would allow passwords greater than 16-characters.

As much of our lives are on the internet now, you would think there would be a stronger effort to make them more secure and private. I just don't see passwords as they exist being around much longer. Though that just means the next implementation of security will be under attack until it is obsolete too. It is the never ending war of security.

For years now I've been using entire phrases, or max length allowed, spelled in |33+ speak for my passwords. For example, I've a Hotmail account I've not used in so long that I can't even remember the email address. The password to that account is a line from an old nursery rhyme.... in |33+. The end result just looks like a garbled string of nonsense.

The only reason I did it was as a game. Waiting to see who out there is willing to put for the time and effort to brute-force one my passwords.

Now on some sites - This one for example - I do use simple passwords that would be relatively easy to crack. But if my Ars password was cracked, seriously.... What are they going to do with it? Troll the forums and get me banned from the the site?! Ooooooo.... scary....

Regarding the subhead.. "Cracking passwords is officially a "script kiddie" activity now." It really has been that way for a LONG time.. running john the ripper was never terribly difficult, and it's been around for 10+ years...

Real credit is due to Ars for raising awareness about the vulnerabilities of passwords to common crackers. More importantly, it's been done is a layman's language that's allowed me to forward it to my friends and family. Now my mom knows that the name of some obscure Greek god+123 is not a good password.

Now, if only Hotmail would allow passwords greater than 16-characters.

Thanks--was trying to do this one in way accessible to the kinds of people who would generally not read password cracking stories.

For years now I've been using entire phrases, or max length allowed, spelled in |33+ speak for my passwords. For example, I've a Hotmail account I've not used in so long that I can't even remember the email address. The password to that account is a line from an old nursery rhyme.... in |33+. The end result just looks like a garbled string of nonsense.

Just for the record, leetspeak is an extraordinarily poor password protection scheme. The author of this article, far from an expert password hacker, was able to use a leetspeak filter. A computer doesn't find leetspeak much harder to crack than standard English.

Now, using a long phrase is a good security measure. Using a non-unique phrase such as a nursery rhyme, not so much.

Don't get me wrong, it's certainly better than Belinda1982 or whatever. It's not, however, as secure as you think it is. It's definitely attackable through non-brute-force approaches.

The lesson we all need to learn is that the only truly secure passwords are long randomly generated strings.

Thanks again for raising awareness and reminding us to change our passwords.Changed my gmail, facebook, amazon, paypal and banking sites passwords.(It's been 8 years since I changed my gmail password, which is to say it was still my original password.)

Not entirely happy that one of the banks only allows a 12 char. max password.

Most of my passwords are 16 characters, random, and as many different character types as I can manage.

The problem is that a lot of websites (Blizzard!) have unstated upper password requirements. In Blizzard's case I never realized that there is (was? Haven't changed my pass since the hack) a requirement for upper/lower/numbers and less than 12 characters; my password (by happenstance) had 4 extra characters, one of which was a symbol. It worked in the WoW password slot which apparently truncated the entry silently, but not on the website. >_<

Great to see the sequence of steps you went through, from no knowledge to 'I know how to do this', with the only hand-holding being stuff other people had written about on their blogs.

Stating outright "people don't try your password on a site a billion times, they try it on THEIR computer a billion times, and only once they have confirmed the password works, do they move to the actual site" is so hugely important; a lot of people still think that the 'try three or more times and you get locked out, haha you can't crack -my- password', because they don't understand the "offline" nature of the cracking process.

I'm moving to 25 character random alphanumerics + punctuation for my important accounts, stored in a KeePass database at home. The keepass database is also on my iPad so when I'm out an about, I can still (nominally) access my passwords.

A good read, and thanks for going through that day of effort and documenting just how easy it is to become a Script Kiddie these days.

For years now I've been using entire phrases, or max length allowed, spelled in |33+ speak for my passwords. For example, I've a Hotmail account I've not used in so long that I can't even remember the email address. The password to that account is a line from an old nursery rhyme.... in |33+. The end result just looks like a garbled string of nonsense.

The only reason I did it was as a game. Waiting to see who out there is willing to put for the time and effort to brute-force one my passwords.

Post your hash.

Ausculta wrote:

Now on some sites - This one for example - I do use simple passwords that would be relatively easy to crack. But if my Ars password was cracked, seriously.... What are they going to do with it? Troll the forums and get me banned from the the site?! Ooooooo.... scary....

If your Ars password gets cracked, and is the same password you use for other sites, you're in trouble. Perhaps you are using a modified hotmail password for your Ars account?

The best passwords are still those posited by XKCD (http://xkcd.com/936/) - four (two is next to worthless and three is not that good) random words strung together.

The example given is "correctbatteryhorsestaple" which you should NOT use, at it exists in most password dictionaries by now. Assuming the website is not rubbish with their hashing algorithm, adding the four-random word rule to your attempts to crack the password means you'll be looking at years rather than seconds for the password to fall.

Phrases might be ok, but they'll often appear in dictionaries and crackers that can create phrases are not too far away.

Of course 16+ truly random characters is slightly harder to break, but it's also impossible to remember.

People want to use a password that's easy to remember. But you should use a long gibberish (non-dictionary) password. These requirements conflict, so I rephrase the problem. You need an easy-to-remember pass-phrase and an automatic way to use it to generate a long gibberish pass-word, and the method should be one-way/trapdoor. Like this:alias cryptpw='read pass;echo $pass|md5sum|base64|cut -c -16'$ cryptpwWhat's for lunch?ODE0MzZkNGJlMDYyThat password will be re-encrypted by a website, and if that website is hacked and the above password is produced by decryption, there's no way to know it's valid.

"my password was actually in the RockYou dictionary—but the news wasn't that bad. For one thing, my hash had not been leaked publicly, and retrieving it would require someone to break into my computer. Even that was more challenging than it used to be because OS X Lion, which I'm still running, moved password hashes into a protected directory only accessible to "root," but it kept the root account off by default"

This quote right there is the height of rationalization. Security is not something you can rely on anyone but yourself to handle. You should have struck that quote above from your article and made it clear that you're not technically any better than the average person when it comes to adequately securing yourself.

Thanks again for raising awareness and reminding us to change our passwords.Changed my gmail, facebook, amazon, paypal and banking sites passwords.(It's been 8 years since I changed my gmail password, which is to say it was still my original password.)

Not entirely happy that one of the banks only allows a 12 char. max password.

Thats better than some australian banks which only allow 6 or 8 character passwords.

This is not things I didn't know, but it is definitely things I want other people to know! The trials and tribulations you went through remind me of myself when I went through this stage. Ironically, I used this information to better myself instead of to attack others; as I hope most people do (so maybe it's not so ironic after all).

Fantastic article. There’s some really good information in here, but at no point does it go too technical that it will scare off (most) non-technical people. Definitely one I’m sending out to some of my less than security-minded friends.

I just wanted to say this is a great way to discuss password security. It really gets to the practical side. You can tell people all you want to that they need a long password, etc., but they often don't listen. Showing them just how easy it is to crack the password may strike a chord though!

The best passwords are still those posited by XKCD (http://xkcd.com/936/) - four (two is next to worthless and three is not that good) random words strung together.

Actually, three or four random words with a numeral or special character inserted between each word are much better (will defeat -every- lowercase brute force attack). Even just capitalising the Nth letter of each of your words gives a dramatic improvement in security. "coRrectbaTteryhoRsestAple"

Longer is indeed always better, but the following are also good tips:* numeral or special character inserted somewhere in the middle of the password. (It's computationally easy to check prepends and postpends, but still difficult to check every possible position.)* ditto for capitalisation. The rules out there mean that "HorseStaple" is really no more secure than "horsestaple" (because it's the most likely thing someone does to a two-word passphrase, and thus only double the time to check), but "hoRsestAple" adds 5x6+2=33 permutations (if they have a rule to look for a single capitalized character in each word), which isn't great, but is still better than nothing.* Even better, replace every Nth character with something completely different. "h&rses&aple" / "hQrsesQaple" / "h5rses5aple" ... just be careful not to pick a substitution that turns a word into another word or accidentally emulates l33tsp34k.

All that aside, the MOST important thing is, if you reuse passwords, reuse them wisely.* Use unique passwords, as strong as you can stomach, for -every- account that involves access to your actual monetary resources (bank, paypal, amazon, etc)* Ditto for any email account with password reset access to the above. THIS IS IMPORTANT!* For sites where your online reputation or business would be harmed by a breakin, or where you would be seriously inconvenienced from a loss of access, use a unique password, but you don't need it to be as strong.* For generic forums and the like... try not to reuse if you can, and try to pick "good" passwords, but if the repercussions are low that it really isn't too important. These definitely lend themselves towards the "ease of use" end of the scale, as there's little for you to lose.

Plenty of other "speedy" algorithms offer better protection, including the far more secure bcrypt or scrypt.

I wouldn't consider bcrypt a speedy algorithm. Those would be the MD5's and SHA's. bcrypt was made specifically to be slow. The others were not made for protecting passwords but to allow for verification of data integrity at large scales. It's unfortunate that people still believe the prior.

Your graphs for how long stuff takes to crack are missing an important factor: keyspace. A 10 character password that has restrictions (i.e. lowercase only, no symbols...) reduces the brute force time tremendously compared to a 8 character password with full keyspace. This is an important variable to compare security of different password schemes.

Even with throwaway passwords for forums you can make them unsuitable for brute forcing or mass damage following a leak without much difficulty. caMdL878ar, chMdL878an, umMdL878ha (domain last 2, common6, domain first 2) don't really take any more effort than memorizing a 6 character random string, are long enough to be difficult to bruteforce, and give you something unique to each site that should be strong enough to resist automated attempts to use one leaked password to break into your other accounts. (A human specifically targeting you specifically is more problematic, even if they don't have two of your pws using this rule.)

There is actually a Ruby Gem on github that jokingly implements an MD5 (unsalted) hash cracker by googling the hash and hoping that the answer is on the first page of results.

Is that really a joke when it works?

Quote:

Of course 16+ truly random characters is slightly harder to break, but it's also impossible to remember.

I've memorized one such password. Ironically, I used it on a system that I didn't really care about. It is very much possible to do so.

Another possibility would be to, say, take some irrational number, memorize some sequence of digits in it, and use those. Preferably not pi or e, though I suppose if you go far enough into either it really makes no difference anyway.